This document outlines the theory and practice of enterprise risk management (ERM). It discusses how ERM works differently in private versus public sector organizations due to differences in goals and risk tolerance. The document proposes a framework for implementing ERM with five phases: risk governance, risk assessment, risk quantification, risk monitoring and reporting, and risk optimization. It also describes steps to implement ERM such as obtaining buy-in, building an ERM foundation, conducting risk assessments, ongoing monitoring, and developing reporting. Roadblocks to implementation like resistance to change are also addressed.
2. This paper:
illustrates how ERM works in practice
affirms that a one-sized ERM does not fit both Private and Public Sector
Organisations
highlights the differences in risk and risk tolerance between Private and
Public Sector organizations.
suggests that ERM process must reflect the delegation of risk-taking
authority within the system.
articulates a model for reporting on ERM through annual reports and
management certification.
Introduction
3. ERM is an ongoing process not an event-task.
ERM focuses on risks that could be significant to an organisation with
significance been measured in terms of impact of risk event (decision
point) and probability of occurrence.
ERM takes an enterprise level view of every significant risk or decision
issue.
ERM demonstrates that significant decision issues are well managed.
Understanding Key Concepts around ERM
4. ERM is a principle of good management which represent an important
part of an organisation’s overall governance and management framework
ERM helps the organisation to reap the benefit form good management
decisions.
ERM helps to focus the organisations business plan on right issues such
that resources are allocated to the areas of greatest value.
ERM protects the value of the firm.
Rationale for ERM Practice
5. Framework for Implementing ERM
S/N Phase Description of Phases
1. Risk Governance Develop an approach for understanding, building,
supporting and embedding risk strategies and
accountabilities.
2. Risk Assessment Identification, assessment and categorisation of
risks across the organisation.
3. Risk quantification
and aggregation
Measurement , analysis and consolidation of
enterprise risks.
4. Risk monitoring
and reporting
Reporting, monitoring and assurance activities.
5. Risk and Control
Optimisation
Using risk and control information to increase
performance.
6. Framework for Implementing ERM
An organisations goals and ownership impact the type and nature of its risks.
For example
Strategic risks exist mostly for private sector organisations but rarely for
public sector organisations.
Liquidity risks in public sector organisations takes on a different nature
than in private sector organisations
Reputational risks impact private sector organisations more than public
sector organisations.
7. Framework for Implementing ERM
An organisations performance measures goals and ownership dictates how it
perceives risks.
For instance private sector firms view risks as opportunities with potentials
for adding value while public sector firms are concerned about potential
adverse outcomes based on political exigencies or threats to fulfilment of
public policy mandates.
8. Steps in Implementing ERM
Get ERM Buy in
Build an ERM
foundation
Initiate Enterprise
level Risk assessment
Conduct an on-going
assessment of
significant risks
Develop ERM
reporting
framework.
9. Steps in Implementing ERM
1. Get ERM buy in.
Convince management/governing body about the value of ERM.
Receive direction and oversight and obtain resources for ERM
implementation.
Receive support from Board and make the CEO the ERM champion.
Build and effective but cost efficient ERM process.
10. Steps in Implementing ERM
2. Building an ERM foundation
Set goals for the implementation of ERM in the organisation.
Formalise the roles and responsibilities of management and board through the
establishment of an ERM policy.
Obtain an understanding of significant risk to which the firm is exposed.
Establish appropriate risk management policies for those significant risks with periodic
review.
Manage risks according to ERM policies.
Give report to Board and Management on ERM issues
Charge a Chief Risk Office with the responsibility for coordinating and facilitating ERM
Set up Management Committee to confirm ERM implementation approach and ongoing
result.
11. Steps in Implementing ERM
3. Initiate Enterprise level Risk assessment
Update list of corporate risk, risk register and categories, definitions and identification of
examples of risk.
Conduct individual interviews with Executive and Non Executive Members to get their
understanding of the key risks facing their direct area of responsibility and those facing
the firm as a whole.
Assess the significance of each risk identified and summarise the practices and controls
unique to the firm.
Create an acceptable qualitative rating-scale, e.g. low, moderate, and high and assess
the impact of a potential worst-case risk event and the likelihood that the event would
occur.
Categorize each resulting risk exposure as stable, decreasing, or increasing.
Compare each risk initiative against corporate plans
Conduct gap analysis to confirm whether Board policies are in place for each significant
risk.
12. Steps in Implementing ERM
4. Conduct an on-going assessment of significant risks
Since organisations are not static, even so are the significant risks, Therefore
carry out a re-evaluation of risks, from time to time.
Identify emerging risks and categorise them appropriately
Build risk assessment into day-to day decision making
13. Steps in Implementing ERM
5. Develop ERM reporting framework.
ERM-related information should be given to those making decisions about
significant risks on a day to day basis.
ERM reports should be given to management, internal and external auditors
and other external stakeholders.
ERM reports, should contain the following
a) Catalogue of significant risks;
b) risk categories;
c) risk exposure map;
d) detailed risk report and a
e) summary risk report.
14. Road Blocks in ERM Implementation
Resistance to ERM comes through questions, such as what is it,
why do I need and what value will it provide?
Resistance to change from old to new.
Managing expectations of how long it takes to implement ERM
Completing ERM, when are we there?
Determining the risk tolerance level for the firm
15. Conclusion
The goals of public sector organisations are different from private sector, since
public sector organisations are public policy- driven, rather than owner value-
driven
Public sector organisations see risks as obstacles to fulfilling their mandates,
whereas, private sector organisations, see risks as opportunities to maximise
value.
A one sized ERM, does not fit all, therefore tailor ERM to reflect the way the
organisation delegates risk-taking authority. Attend and resolve challenges posed
by the implementation of ERM.
The ERM process is like filming of an epic movie: first, hire a director, next, write a
clear story, and then engage studio executives and actors and shoot the film from
act 1 scene 1 while keeping the camera focused on the end goal.